Answer the question
In order to leave comments, you need to log in
S
S
spazmoGnom2021-01-18 23:11:52
spazmoGnom, 2021-01-18 23:11:52
How to connect to a device on a local network from the Internet through a server purchased from a provider?
I want to make it so that I can connect to a device on the local network behind NAT (no white IP) from the Internet through a server / vps purchased from a provider.
There is a computer (let's call it K1) at the local address 192.168.1.10, for example. And I have my own VPS with a white IP (let it be 88.77.66.55). It is required to make sure that K1 has ports 80, 443, and all ports from 1000 to 65535 are visible at the VPS address with the corresponding port. The whole local matter is behind the keenetic ultra router, although I can add mikrotik hap or another necessary router up to 3-4k at a price (but if there is an opportunity without it, it will be great)
That is, I make a request to 88.77.66.55:8080 and I get a response from K1 from port 8080. And all other ports are the same.
Does anyone have a ready-made tutorial on how to set it up or can you advise where to start digging and in which direction (maybe some articles) or what functionality can help me solve this need?
5 answer(s)
@spazmoGnom
@ky0
@Karpion
A
Andrey Barbolin, 2021-01-19 @spazmoGnom
You need to
- raise the VPN between 88.77.66.55 and 192.168.1.10
- let the addresses inside the VPN be 10.200.200.1 and 10.200.200.2
- set up forwarding from the address 88.77.66.55 to 10.200.200.2
As a VPN, I recommend Wireguard, the easiest to set up.
Below is an approximate minimum config, do not forget about security (close unnecessary ports). Don't forget to change $WAN$ to your interface. It is important that when forwarding ports, all traffic from 192.168.1.10 would go through the VPN or use nginx-proxy on 88.77.66.55.
spoiler
https://habr.com/ru/post/486452/
### Install the WireGuard and WireGuard tools.
sudo apt install wireguard-dkms wireguard-tools
### Enable the WireGuard kernel module and check the status
sudo modprobe wireguard && lsmod | grep wireguard
### Generate keys
wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
wg genkey | tee wg-client-private.key | wg pubkey > wg-client-public.key
### Server config /etc/wireguard/wg0.conf
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = $wg-server-private.key$
[Peer]
PublicKey = $wg-client-public.key$
AllowedIPs = 10.200.200.2/32
### Restart server wg
sudo systemctl restart wg-quick
### Client config
[Interface]
PrivateKey = $wg-client-private.key $
Address = 10.200.200.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = $wg-server-public.key$
AllowedIPs = 0.0.0.0/0
Endpoint = 88.77.66.55:51820
## Allow Forward
sysctl -w net.ipv4.ip_forward=1
### Firewall
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o $WAN$ -j MASQUERADE
iptables -t nat -A PREROUTING -i $WAN$ -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.200.200.2
iptables -t nat -A PREROUTING -i $WAN$ -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.200.200.2
https://habr.com/ru/post/486452/
### Install the WireGuard and WireGuard tools.
sudo apt install wireguard-dkms wireguard-tools
### Enable the WireGuard kernel module and check the status
sudo modprobe wireguard && lsmod | grep wireguard
### Generate keys
wg genkey | tee wg-server-private.key | wg pubkey > wg-server-public.key
wg genkey | tee wg-client-private.key | wg pubkey > wg-client-public.key
### Server config /etc/wireguard/wg0.conf
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = $wg-server-private.key$
[Peer]
PublicKey = $wg-client-public.key$
AllowedIPs = 10.200.200.2/32
### Restart server wg
sudo systemctl restart wg-quick
### Client config
[Interface]
PrivateKey = $wg-client-private.key $
Address = 10.200.200.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = $wg-server-public.key$
AllowedIPs = 0.0.0.0/0
Endpoint = 88.77.66.55:51820
## Allow Forward
sysctl -w net.ipv4.ip_forward=1
### Firewall
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o $WAN$ -j MASQUERADE
iptables -t nat -A PREROUTING -i $WAN$ -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.200.200.2
iptables -t nat -A PREROUTING -i $WAN$ -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.200.200.2
K
ky0, 2021-01-18 @ky0
This is done not by forwarding ports "from the VPS address", but by banal VPN settings - so that both devices between which data transfer is needed are on the same network. Take any guide from Habr, even OpenVPN, even Wireguard.
K
Karpion, 2021-01-19 @Karpion
If NAT makes a device under your control, you can configure port forwarding inside the network. This can be done for the whole world (i.e. anyone can connect to a device on the local network ); or not for everyone, but for selected IP addresses.
You can configure not port forwarding, but an SSh tunnel. The manual is on Habré, search for the word "ssh". Both your VPS and a device on the local network can initiate an SSh tunnel .
You can set up a VPN from a device on the local network to your VPS. The VPN connection must be initiated by a device on the local network .
Similar questions
L
A
W
K
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question